CVE-2025-27810

Summary

Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.

Affected Software

VendorProductVersion RangeStatus
Mbedmbedtls0 < 2.28.10affected
Mbedmbedtls3.0.0 < 3.6.3affected

Weaknesses

  • CWE-908: CWE-908 Use of Uninitialized Resource

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References